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ABSTRACT 



A roaming user needing an his authentication credential 
(e.g., private key) to access a computer server to perform an 
electronic transaction may obtain the authentication creden- 
tial in an on-demand fashion from a credential server 
accessible to the user over a computer network. In this way, 
the user is free to roam on the network without having to 
physically carry his authentication credential. Access to the. 
credential may be protected by one or more challenge- 
response protocols involving simple shared secrets, shared 
secrets with one-to-one hashing, or biometric methods such 
as fingerprint recognition. If camouflaging is used to protect 
the authentication credential, decamouflaging may be per- 
formed either at the credential server or at the user's 
computer, 

52 Claims, 3 Drawing Sheets 
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Fig. 2 
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Fig. 3 
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METHOD AND APPARATUS FOR SECURE 
DISTRIBUTION OF AUTHENTICATION 
CREDENTIALS TO ROAMING USERS 

CROSS-REFERENCE TO RELATED < 
APPLICATIONS 

This application is a Continuation-in-Part of pending U.S. 
patent application Ser. No. 08/996,758 filed Dec. 23, 1997. 

BACKGROUND OF THE INVENTION io 

In networked computer deployments, users of client com- 
puters are required to authenticate themselves to server 
computers for applications such as electronic mail, access- 
ing privileged or confidential information, purchasing goods 15 
or services, and many other electronic commerce transac- 
tions. When the information involved is of relatively low 
value, it may be suflicient for the user to authenticate himself 
with a simple password. However, when the information is 
of high value, or when the data network is unsecured, simple 2Q 
passwords are insufficient to control access effectively. For 
example, when computers are accessed across the Internet, 
passwords are easy to capture by filtering packets as they 
traverse the network. Alternatively, passwords can be 
guessed or "cracked" by intelligent trials, since passwords 
are often six or fewer characters. In brief, the convenience 
of passwords makes them easy to break — if they are suffi- 
ciently easy for the user to remember, they are sufficiently 
easy for the hacker to guess. 

To overcome the insecurity of the password, alternative 30 
technologies have been developed. One such technology is 
asymmetric key cryptography. In this technology, each user 
has two keys, a private key and a public key. The user 
performs a cryptographic operation (e.g., an encryption or a 
digital signature) on a digital quantity using his private key, 35 
such that the quantity may be authenticated by a verifier 
having access only to the user's public key. The private key 
therefore serves as the user's authentication credential. That 
is, the verifier need not know the user's private key in order 
to authenticate the user. Because the public key may be 
widely disseminated while the private key remains 
confidential, strong authentication is provided with 
enhanced security. Private keys are generally too long and 
complex for the user to memorize, and are therefore usually 
stored in software or hardware tokens, and interfaced with 45 
computers prior to use. 

One such software token is the so-called software wallet, 
in which the private key is encrypted with a password or 
other access-controlled datum. In such software wallets, an 
intruder is not deterred from repeatedly trying passwords, in 50 
an exhaustive manner, until he recovers the private key. This 
poses analogous security risks to the simple password 
schemes described above. In addition, the software wallet is 
stored on a user's computer, which may be inconvenient if 
the user needs to freely roam from one location to another, 55 

In contrast to software wallets, hardware tokens such as 
smart cards are more secure, and can be conveniently carried 
as the user roams. In a typical hardware smart card, the 
private key is stored in hardware, and protected by a 
watchdog chip that allows the user to access the private key, 60 
should he enter the correct password that unlocks the smart 
card. The smart card can even be configured so that, if a 
hacker attempts to guess passwords, the card locks up after 
a small number of successive missed attempts. The disad- 
vantages of hardware token are: (1) roaming is restricted to 65 
locations where the appropriate token reader hardware is 
installed; (2) hardware tokens are expensive in contrast to 
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software tokens; (3) hardware tokens must be physically 
carried wherever the user wishes to roam; and (4) hardware 
tokens are often lost, misplaced, or stolen. 

Thus, while hardware token systems offer increased 
security, they have several disadvantages compared to soft- 
ware based systems. It would, therefore, be desirable to have 
a system that combines the best features of both hardware 
and software based systems. 

SUMMARY OF THE INVENTION 

The present invention discloses a method and apparatus 
for the on-demand delivery of authentication credentials to 
roaming users. Credentials are stored, delivered and trans- 
mitted in software, obviating the need for additional hard- 
ware. In a basic embodiment of the system, a user can 
demand his credential at will, upon providing proof of 
identity in the form of shared secret(s) that he has previously 
escrowed with the credential server. The shared secret may 
be chosen by the user, and could be easily remembered 
secrets such as: mother's maiden name, third grade teacher, 
etc. The user will respond to challenges from the server via 
a challenge-response protocol, with the server demanding 
correct answers to such questions prior to releasing the 
user's credentials. In another embodiment of the invention, 
a user's authentication credential can be stored on the server 
protected by a simple shared secret scheme such as a 
password, a biometric authentication scheme based on a 
fingerprint or retinal image, or a one-to-one hashed shared 
secret. In yet another embodiment of the invention, the user 
interacts with the server via a cryptographically camou- 
flaged challenge-response protocol. In particular, if the user 
responds correctly to the server's challenges, the user will 
receive his authentication credentials. However, if the user 
responds incorrectly, such as might be the case with a hacker 
trying to break the system, the user will receive plausible 
and well-formed but invalid credentials. Furthermore, the 
authentication credential itself could be encrypted or cam- 
ouflaged with an additional secret that is known only to the 
user An authentication credential is said to be in crypto- 
graphically camouflaged form when it is embedded among 
many pieces of similar (pseudo -valid) data. These data are 
sufficiently different that the user can locate the correct piece 
without any difficulty, using a shared secret that he can 
remember. However, the pieces of data are also sufficiently 
alike that an intruder will find all of them equally plausible. 
Such a cryptographically camouflaged authentication cre- 
dential can be provided to the user in either camouflaged or 
decamouflaged form that is, the decamouflaging can be 
performed at either the credential server or at the user's 
computer. The various embodiments of the invention 
described above provide one or more or the following 
advantages: No additional hardware is required for deploy- 
ment. This is in contrast with hardware tokens such as smart 
cards where cards and card readers need to deployed in a 
widespread fashion. 

(1) High user convenience. Roaming users need not carry 
tokens with them, but can demand them as required. 

(2) Low administrative overhead. Users who have lost, 
misplaced or forgotten tokens do not require administrative 
intervention. 

(3) Rapid deployment rate. Soft credentials with roaming 
access can be deployed rapidly, since they are intuitive to 
use and require little user/administrator training. 

(4) Enhanced security over purely one-factor systems. 

BRIEF DESCRIPTION OF THE FIGURES 

FIG. 1 illustrates an exemplary embodiment of the inven- 
tion in which a user accesses a web server to conduct an 
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electronic transaction with a transaction server protected by 
an access control server. 

FIG. 2 illustrates an exemplary embodiment of a wallet in 
which a private key is protected by a PIN. 

FIG. 3 illustrates an exemplary embodiment in which the 5 
wallet of FIG. 2 is protected by a form of cryptographic 
camouflaging. 

DETAILED DESCRIPTION OF THE 
INVENTION 

10 

We now describe various exemplary embodiments of the 
invention using the exemplary context of a user operating a 
web browser to access one or more remote server, whereby 
the user can freely roam about the Internet while still 
maintaining access to his authentication credential. Those 15 
skilled in the art will recognize that the invention is appli- 
cable to other client-server environments as well, including 
but not limited to databases, medical client stations, and 
financial trading stations. Furthermore, the network envi- 
ronment need not be the Internet, but could be an intranet or 20 
indeed any distributed computer network. 

Referring now to FIG. 1, a user at Browser 140 wishes to 
access a Web Server 110 to conduct an electronic transac- 
tion. Web Server 110 is, in turn, safeguarded by Access 
Control Server 120, which prevents unauthorized access to 25 
Transaction Server 130. For example, Web Server 110 might 
be a company's home page, Access Control Server 120 
might be a firewall, and Transaction Server 130 might 
contain proprietary company data that the user wishes to 
access. In yet another example, Access Control Server 120 30 
might be a membership or credit/payment verification 
system, and Transaction Server 130 might be a back-end 
shipping/delivery system. Those skilled in the art will appre- 
ciate that any or all of servers 110, 120 and 130 may be 
combined into a single server, that there may be more 35 
additional servers performing other specialized functions, 
that any of these servers may be co -located or widely 
distributed, and so forth. Similarly, the electronic transaction 
may be of virtually any type including, but not limited to, 
secure electronic mail, accessing privileged or confidential 40 
information, and purchasing electronic or physical goods or 
services. 

Before accessing the Transaction Server 130 to perform 
the electronic transaction, the user first needs to authenticate 
himself to Access Control Server 120. As mentioned in the 45 
Background of the Invention, the user typically authenti- 
cates himself by using his private key to perform a crypto- 
graphic operation on a challenge sent by the Access Control 
Server 120. This cryptographic operation might be a simple 
encryption, a hash followed by encryption (commonly 50 
referred to as a digital signature), or still other protocols that 
are well known to those skilled in the art. Of course, in lower 
security applications, the authentication credential might be 
a simple password. Private key, password and other authen- 
tication credentials are well known to those skilled in the art, 55 
and need not be described in detail here. For examples 
thereof, the reader is referred to well-known, standard texts 
as Applied Cryptography (Bruce Schneier, Second Edition, 
1996, pp. 101-112 & 548-549) for details. 

No matter what the authentication credential or protocol, 60 
if the Access Control Server 120 authenticates the user, the 
user is subsequently allowed to access the Transaction 
Server 140. The present invention provides a method and 
apparatus for providing the authentication credential, on 
demand, to a user who wishes to be able to access servers 65 
110, 120 and/or 130 from a variety of Browsers 140 (the 
so-called "roaming user"). 
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This on-demand roaming capability is provided by a 
Credential Server 160 that downloads the authentication 
credential (e.g., private key) to the user at Browser 140 via 
a software Wallet 150. As used herein, Wallet 150 need only 
serve as a basic container for the authentication credential. 
As such, it could be considered to be simply the data 
structure in which the authentication credential is embodied, 
or it could be a more sophisticated container having the 
capability to handle other user-owned items such as a digital 
certificate or digital currency (including, without limitation, 
electronic cash or scrip). In a basic embodiment of the 
invention, Credential Server 160 is embodied as a web 
server. The user points his Browser 140 to the Credential 
Server, which sends the user a challenge in the form of a 
shared secret that has previously been associated with the 
user during a set-up phase. This shared secret might be of the 
following exemplary forms: 



Question: Mother's maiden name? Answer: Jones 

Question: Dog's name? Answer: Lucky 

Question: Favorite sport? Answer: Football 

Question: PIN? Answer: PIN 



Hie actual number of questions can vary from credential 
server to credential server, as dictated by their respective 
security policies. If the user provides the correct answers), 
the Credential Server 160 obtains the user's wallet from a 
Wallet Database 170 (which may or may not be part of 
Credential Server 160) and provides the wallet to the user at 
Browser 140. In an alternative embodiment, the wallet, or a 
part thereof, could be provided directly to any of servers 110, 
120 & 130. 

In either of the foregoing, the wallet could be installed 
either: 1) in the memory space of the software program, 
and/or subsequently 2) onto the hard drive or other physical 
memory of the computer. If only the former, the authenti- 
cation credential would be destroyed when the session is 
ended. If the latter, the authentication credential could be 
available for use across multiple sessions on that particular 
computer. In either event, as the user roams to another 
computer, the process can be repeated to provide on-demand 
access to the needed authentication credential without the 
requirement of a physical token (even though the invention 
could also be used in conjunction with a physical token, as 
desired). 

The foregoing illustrates the use of so-called shared 
secrets, whereby the user and the server both share copies of 
information required to access the system. Of course, the 
invention is not limited to such simple protocols which, by 
their nature, are subject to abuse by a dishonest server. For 
example, zero knowledge proofs, whereby the user can 
prove to the server that he knows his mother's maiden name 
(or other secret information) without actually revealing the 
name to the server, can also be used. As a simple example, 
the user's private key itself could be used in this fashion, for 
a verifier need only know the corresponding public key to 
verify the private key. The principles and implementations 
of zero knowledge proofs are well known to those skilled in 
the art and need not be described here. The reader is referred 
to well-known, standard texts such as Applied 
Cryptography, supra, for details. 

In one embodiment of the invention, the wallet might 
itself be protected by a shared secret. For example, FIG. 2 
shows an exemplary embodiment of a wallet in which a 
private key is protected by a PIN. The FIN (more generally, 
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a shared secret) might be the shared secret transmitted by the will satisfy the hash challenge to open the key wallet. (PINs 
user to the Credential Server 160, as discussed previously, that hash to the same hash value as the correct PIN, 
and the private key (more generally, the authentication including the correct PIN, are referred to herein as pseudo- 
credential) in the wallet might be decrypted by Credential valid PINs.) For example, if the hash function hashes 
Server 160 and provided in the clear to the user at Browser 5 six-digit codes to two-digit hash values, there will be 10,000 
140. Alternatively, the entire wallet (including the authen- six-digit pseudo-valid PINs that will open the key wallet, out 
tication credential in encrypted form) might be provided to of a total of 1,000,000 possible six -digit codes. Pseudo-valid 
the user, for the user to decrypt locally at Browser 140. With PINs will all be passed to the decryption module 340 to 
either approach, the process of decrypting the PIN-protected decrypt the stored encrypted key to produce a candidate 
authentication credential as follows. The user enters a PIN Q private key However, all but one of these candidate private 
200 (more generally, an access code) to unlock the wallet, keys will be incorrect decryptions of the stored (correct) 
and the PIN is passed through a one-to-one hash function private key. Only when the entered PIN is the correct PIN 
210. The bash function may also include a salt value or other will the correct private key be recovered, 
security-enhancing feature, as will be appreciated by per- Preferably, the many-to-one hash function above should 
sons skilled in the art. The hashed value 215 of the entered 5 be chosen to be a good hash. For example, and without 
PIN is compared with a stored hash value 220, which is the limitation, MD5 and SHA are well-known good hash func- 
hashed value of the correct PIN. If the two hash values tions. Good hash functions are one means to substantially 
agree, the PIN is passed to decryption module 240. The uniformly distribute the pseudo-valid PINs in the space of 
private key which has been encrypted (with the correct PIN all possible PINs. For example, consider a hash function 
as the encryption key) and stored in field 230, is decrypted ^ from six-digit codes to two-digit hash values. Of the 1,000, 
by decryption module 240, which is typically DES or some 000 possible input values, 10,000 will be pseudo-valid PINs. 
other cryptographic function such as, for example, triple- If the hash function is a good hash, these values will be 
DES, IDEA or BLOWFISH. Hence, the decrypted private substantially uniformly distributed. In particular, one in a 
key 250 is released for use. hundred PINs will be pseudo-valid, and these will be effec- 
The cryptographic operations of computing the hash(es) ^ tively randomly distributed. Specifically, the chances are 
and decrypting the stored hash may be implemented using Vioo that if the user makes a typographical error in entering 
one or more cryptographic logic (e.g., software or hardware) the correct PIN, then the resulting PIN will be a pseudo- 
modules, and the correct hash value and private key may be valid PIN. 

stored in protected data fields or other forms of memory Another possible embodiment uses a weak hash, i.e., one 

(e.g., read from ROM, from computer-readable media, etc.). 30 which results in clustering of pseudo-valid PINs, whereby 

A typical key wallet would also include input and output an intruder who guesses one pseudo-valid PIN will more 

logic for receiving candidate PINs and outputting decrypted easily find others. A legitimate user making a series of 

private keys, as well as logic for management, viewing, 1 -digit typographical errors would also get a sequence of 

copying, and handling of keys and other data. pseudo-valid PINs and, if the system accepting the private 

The one-to-one nature of the hash function ensures that 35 key or messages encrypted thereby has an alarm-or-disable- 

the correct PIN and only the correct PIN will unlock the key upon-repeated-failure feature, this would inadvertently lock 

wallet. Unfortunately, it also allows a malicious hacker to out the legitimate user. Thus a weak hash is typically 

guess the complete PIN via a brute force search. For disfavored over the good hash. Nevertheless, there may be 

example, he might write a program that simply checks all some applications where a weak hash provides certain 

six-digit PIN codes on the key wallet. If he gets a copy of 40 characteristics such as computational efficiency and ease of 

the key wallet, he can carry out this attack on his computer, implementation that are advantageous for specialized appli- 

completely undetected and in an automated fashion, in a cations. 

matter of a few minutes. The foregoing paragraphs describes techniques for further 
To resist the PIN hash attack, another embodiment of the protecting the wallet, either with a one-to-one or many-to- 
invention uses a technique called cryptographic camouflag- 45 one hash. It will be appreciated by those skilled in the art that 
ing to provide even greater security in connection with the the decryption processes 200-250 and 300-350 (e.g., cryp- 
authentication credential. Cryptographic camouflaging is tographic decamouflaging) may be performed at either the 
described is summary form below with respect to FIG. 3; for user's computer or at the Credential Server 160. In the 
full details, the reader may refer to co -pending U.S. patent former case, the wallet is downloaded to the user in 
application Ser. No. 08/996,758, which is incorporated 50 decrypted form, while in the latter, the wallet is decrypted at 
herein by reference. the Credential Server 160 before downloading to the user. 

Referring now to FIG. 3, the authentication credential More generally, it will also be appreciated that the various 

(e.g., private key) is protected via an access code as in FIG. challenge-response protocols described to this point (e.g., 

2. However, the one-to-one hash is replaced with a many- the simple shared secret; the biometric method such as 

to-one hash, i.e., a hash in which many inputs produce (i.e., 55 fingerprint recognition; the one-to-one hashed secret of FIG, 

regenerate) the same hashed output. In an exemplary 2; and the many-to-one hashed secret of FIG. 3) can be used 

implementation, the many-to-one hash function 310 might at either the Credential Server 160 or at Browser 140, and 

hash six-digit codes to two-digit hash values. As in the that such use can occur in any combination or permutation, 

conventional key wallet, the hashed value 315 of the entered For example, with minimal security, the Credential Server 

PIN 300 is compared with the stored hash value 320, which 60 160 could be accessed by a simple shared secret, and the 

is the hashed value of the correct PIN. If the two hash values wallet could be downloaded to the user in the clear, 

agree, the key wallet opens. The private key is again stored Alternatively, the wallet could be further protected by a 

encrypted in field 330 of the key wallet, with the correct PIN one-to-one or many-to-one (i.e., cryptographically 

as the encryption key. When the correct PIN is entered, the camouflaged) hashed shared secret and decrypted at the 

stored encrypted key is decrypted and the correct private key 65 Credential Server in response to the user's responding to the 

350 is released for use. However, since the hash function is appropriate challenge-response protocol. The decrypted (or, 

many-to-one, there will be many different entered PINs that in the case of the many-to-one hash, the decamouflaged) 
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wallet would then be downloaded to the user in the clear. For (ii) verifying that said candidate access code belongs to a 

greater security, the wallet could be downloaded to the user family of pseudo-valid responses; and 

in camouflaged form, with the decamouflaging occurring at (iii) using said pseudo -valid candidate access code to 

the user's computer. For still greater security, a one-to-one decrypt said stored authentication credential. 

or many -to-one hash process could replace the simple shared 5 12. The method of claim 11 where said pseudo-valid 

secret for the initial server access. In general, then, the responses have the characteristic of being hashable to the 

one-to-one hash or many-to-one hash could be deployed at same output as said access code. 

the initial server access stage, while any of the simple shared 13. The method of claim 12 where said authentication 

secret, one-to-one hash, many-to-one hash techniques could credential includes a private key of said requestor, 

be employed at the subsequent wallet downloading stage, to 14. The method of claim 10 where said authentication 

Because of these and other variations that will be understood credential includes a secret credential of said requestor, 

to those skilled in the art, it is therefore intended that the 15. The method of claim 10 further comprising the steps 

scope of the invention be not limited to the particular of: 

embodiments disclosed herein, but rather to the full breadth ( c ) ^ authentication credential to conduct said 

of the claims appended hereto. 15 electronic transaction; and 

What is claimed is: >q d e ] etmg sa jd credential from said requestor's comput- 

1. A computer- implemented method for obtaining, ma ing device 

networked environment, an authentication credential usable 16 ^ method of daim t where ^ challenge m6 

to conduct an electronic transaction, comprising: response are members of a zero knowledge proof protocol. 

(a) accessing, over a network, a server to request there- 20 1? ^ method of claim x where ^ steps anc j ( c ) are 
from a predetermined authentication credential, said part of a cr ypt 0 graphic camouflage challenge-response pro- 
authentication credential: tocol. 

(i) in existence at said server prior to said request 18 method of claim 1 further comprising download- 
therefor, m g a digital currency from said server along with said 

(ii) uniquely identifying a requestor thereof, and 25 aut h cn tication credential. 

(iii) suitable for use in conducting an electronic trans- 19 ^ a pp aralU s for obtaining, in a networked 
action; environment, an authentication credential usable to conduct 

(b) receiving, from said server, a challenge soliciting a an electronic transaction, comprising: 
predetermined response associated with a holder of said ( a ) a netW0 rk interface configured to: 
authentication credential; q access, over a network, a server to request therefrom 

(c) transmitting an answer to said challenge; and a predetermined authentication credential, said 

(d) in response to a determination by said server that said authentication credential: 

answer satisfies said challenge, receiving said authen- (A) in existence at said server prior to said request 

tication credential from said server; 35 therefor, 

said method being operable in a repeatable, on-demand (B) uniquely identifying a requestor thereof, and 

manner by said requestor from a plurality of requestor (C) suitable for use in conducting an electronic 

locations. transaction, and 

2. The method of claim 1 where said authentication (ii) receive, from the server, a challenge soliciting a 
credential includes a secret credential of said requestor. predetermined response associated with said 

3. The method of claim 2 where said secret credential is requestor of said authentication credential; 

a private key. (b) an user interface configured to receive, from said 

4. The method of claim 2 further comprising: requestor, an answer to said challenge; 

(e) using said authentication credential to conduct said ( c ) sa id network interface configured to receive said 
electronic transaction; and 4S authentication credential in response to a determination 

(f) deleting said credential from said requestor's comput- by said server that said answer satisfies said challenge; 
ing device. and 

5. The method of claim 2 where said requestor's com- (d) a memory configured to store said authentication 
puting device includes a web browser, and said network is credential at said requestor's computing device; 

a distributed computer network. 50 said apparatus being usable by said requestor to obtain 

6. The method of claim 2 where said requestor's com- repeated, on-demand access from a plurality of requestor 
puting device includes a digital wallet. locations. 

7. The method of claim 2 where said response includes a 20. The apparatus of claim 19 wherein said authentication 
shared secret between said server and said requestor. credential includes a secret credential of said requestor. 

8. Hie method of claim 1 further comprising: 55 21. The apparatus of claim 20 wherein said secret cre- 

(e) using said authentication credential to conduct said dential is a private key. 

electronic transaction; and 22. The apparatus of claim 19 configured for use as a web 

(f) deleting said credential from said requestor's comput- browser, and wherein said network is a distributed computer 
ing device. network. 

9. The method of claim 8 where said authentication eo 23. The apparatus of claim 19 configured for use as a 
credential includes a private key of said requestor. digital wallet. 

10. The method of claim 1 where said received authen- 24. The apparatus of claim 19 wherein said server is 
tication credential is in cryptographically camouflaged form. configured to store said authentication credential in crypto- 

11. The method of claim 10 where said authentication graphically camouflaged form, 
credential is encrypted under an access code, and further 65 25. The apparatus of claim 24 wherein: 
comprising: (i) said authentication credential is encrypted under an 

(i) receiving from said requestor a candidate access code; access code; 
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(ii) said user interface is configured to receive, from said 40. The method of claim 36 where said authentication 
requestor, a candidate access code; and credential includes a secret credential of said requestor. 

(iii) further comprising cryptographic logic configured to: 41. The method of claim 36 where said step (e) includes 

(iv) verify that said candidate access code belongs to a transmitting said authentication credential to said requestor 
family of pseudo-valid responses; and 5 ™ cryptographically camouflaged form for cryptographic 

(v) usesaidpseudo-vaUdcandidateaccesscodetodecrypt decamouflaging by said requestor 

said stored authentication credential. 42 ™« mcthod of claim 30 ^ r comprising ; sending a 

26. The apparatus of claim 25 wherein said pseudo-valid di E ital currcnc y t0 said requestor along with said authenti- 
responses have the characteristic of being hashable to the cation credential. 

same output as said access code. *3. An apparatus for providing, in a networked 

27. The apparatus of claim 26 wherein said authentication environment, an authentication credential usable to conduct 
credential includes a private key of said requestor. an electronic transaction, comprising: 

28. The apparatus of claim 19 wherein said challenge and ( a ) a network interface configured to: 

said predetermined response are part of a cryptographic 15 (j) receive from a requestor, over a network, a request 

camouflage challenge-response protocol. f or a predetermined authentication credential, said 

29. The apparatus of claim 24 wherein said authentication authentication credential: 

credential includes a secret credential of said requestor. ^ ^ existcncc at ^ apparatus prior to said 

30. A computer-implemented method for providing, in a request therefor- 
networked environment, an authentication credential usable 2Q (fi) ^ } idcD ^yi ng a requestor mereof . ^ 

to conduct an electronic transaction, comprising: q for ^ m oonductil|g ^ electronic 

(a) receiving from a requestor, over a network, a request transaction 

for a predetermined authentication credential, said (H) transmit a challenge solicitirjg a predetermined 

authentication credential: response associated with said requestor, and 

(x) in existence at said server prior to said request « ..... f , . , ^ . . A u , 

w in u ^ 2i , x receive f rom sai( j holder, an answer to said chal- 

therefor, v / 

(ii) uniquely identifying a requestor thereof, and enge ' 

(iii) suitable for use in conducting an electronic trans- (b) logic configured to determine whether said answer 
ac ti on; satisfies said challenge; and 

(b) transmitting, to said requestor, a challenge soliciting a 30 (c) a memory configured to store said authentication 
predetermined response associated with said requestor; credential to be released for said requestor; 

(c) receiving an answer to said challenge; said apparatus being operable to process repeated, 

(d) determining that said answer satisfies said challenge; on-demand authentication credential requests by said 
anc j requestor at a plurality of requestor locations. 

(e) transmitting said authentication credential for said 44. The apparatus of claim 43 wherein said authentication 
requestor; credential includes a secret credential of said requestor. 

said method being operable to process repeated, on-demand 45. Th e apparatus of claim 44 wherein said secret cre- 

authentication credential requests by said requestor at a dential is a private key. 

plurality of requestor locations. ^ 46 apparatus of claim 44 wherein said response 

31. The method of claim 30 where said authentication inc i u des a shared secret between said server and said 
credential includes a secret credential of said requestor. requestor. 

32. The method of claim 31 where said secret credential A „ _/ r . . . 

xu^ ui u 47 apparatus of claim 43 wherein said server is 

15 ItZ^Ld of claim 31 where said requestor is at a 45 ™ nfi ^ d to ^re said authentication credential in crypto- 

web browser, and said network is a distributed computer 45 ethically camouflaged form. 

network **** apparatus of claim 47 wherein said authentication 

34. The method of claim 31 where said transmitting is to credential is encrypted under an access code, and where said 
a digital wallet of said requestor. lo S ic to determine whether said answer satisfies said chal- 

35. The method of claim 31 where said response includes 5Q len S e includes: 

a shared secret between said server and said requestor. (j) cryptographic logic for verifying that said answer 

36. The method of claim 30 where said server is config- belongs to a family of pseudo-valid responses; and 
ured to store said authentication credential in cryptographi- ^ cryptographic logic for using said answer to decrypt 
cally camouflaged form. said stored authentication credential. 

37. The method of claim 36 where said authentication 55 49 ^ apparatus of c l a im 48 where said pseudo-valid 
credential is encrypted under an access code, and where said reS ponses have the characteristic of being hashable to the 
determining that said answer satisfies said challenge same omput as said acc£SS 

includes: 5Q jhe apparatus of claim 49 where said authentication 

(i) verifying that said answer belongs to a family of credential includes a private key of said requestor, 
pseudo-valid responses; and 60 51. The apparatus of claim 47 wherein said network 

(ii) using said response to decrypt said stored authentica- interface is configured to release said authentication creden- 
tion credential. tial to said requestor in cryptographically camouflaged form 

38. The method of claim 37 where said pseudo-valid for cryptographic decamouflaging by said requestor, 
responses have the characteristic of being hashable to the 52. The apparatus of claim 47 wherein said authentication 
same output as said access code. 65 credential includes a secret credential of said user. 

39. The method of claim 38 where said authentication 

credential includes a private key of said requestor. ***** 
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